Barracuda recently announced that their Email Security Gateway (ESG) appliances were found to be vulnerable to remote code execution (RCE), meaning that carefully crafted input can inject malware into a corporate environment. The vulnerability is detailed in CVE- -2023-2868, and the attack begins with a malicious email message. The vulnerability has existed since October 2022, and corporate administrators are urged to patch any Barracuda ESG appliance as soon as possible.
Because the window of opportunity for exploitation has been months, administrators with Barracuda ESG products should be investigating log files for any signs of exploited systems. Remote code execution also allows attackers to inject additional malware, so administrators must scan and analyze the environment for any secondary malware used to keep the compromise persistent, even after patching the Barracuda system.
Malware Deployed to Steal Email Data
Compromising Barracuda systems started with a malicious email. The email contained a carefully crafted .tar file labeled as a .jpg or .dat file, seemingly harmless files without a payload. The email attachment is a snapshot of the network's recent malicious or spam activity. Still, the .tar file contains the malware that initiated the compromise and connected appliances to the command-and-control server.
Barracuda was unaware of the security flaw until a cybersecurity research firm investigated recent suspicious traffic from ESG applications. The firm found that customized malware was injected into the appliances and used to exfiltrate data from the hacked corporate environment and provide backdoor access. The vulnerability gave complete control of a remote system, which means that almost any remote code injection was possible for months.
Backdoor access to the target environment was introduced from a compromised SMTP daemon named bsmtpd that ran on every Barracuda ESG appliance. Customized malware named Saltwater compromised bsmtpd and installed the backdoor, which offered several remote-control features to the author. Features included the ability to transfer files, execute additional shell commands remotely, and proxying traffic to avoid detection from intrusion detection systems.
Secondary malware named SeaSide was also found during investigations. SeaSide is connected to a command-and-control (C2) server allowing remote code execution using standard SMTP HELO/EHLO messages. A HELO/EHLO command starts a connection between a remote user and an SMTP service's local email server. The reverse shell C2 module gave attackers complete control over appliances, allowed for data exfiltration, and let attackers install additional malware on the corporate server.
Widespread Effects Across Private and Public Entities
Barracuda products are standard in several countries for both public (government) and private corporations. Any entity using ESG products should immediately patch their systems. The known vulnerability makes it especially dangerous for corporations to delay patching, and the customized malware makes it difficult for intrusion detection systems to alert administrators should the vulnerability be exploited.
Most concerning is governments used ESG across different public sectors, and it's possible that governments were compromised for several months before the malware was found. US governments and several private corporations, including Samsung, Delta Airlines, Kraft Heinz, and Mitsubishi, were affected. Silent data exfiltration could open several people and companies to potential other targeted threats or identity theft.
Luckily for administrators, Barracuda released several Indicator of a Compromise (IoC) log entries that should be available for review. The IoC entries include file names, MD5 hashes, and types of activity that can be useful to determine if your environment has SeaSide or SeaSpy installed on a Barracuda ESG appliance. Both network and endpoint IoC entries should display if your appliances are compromised. Still, Barracuda also offers administrators a set of rules that can be set up to hunt down any malicious .tar files stored on the environment or downloaded from the initial malicious email message.
For any organization with Barracuda appliances installed on their network, administrators must install the latest security patches addressing the current vulnerability and any others in the future. If administrators still need to monitor CVEs and current products for security patches, a system should be in place to send alerts when a vulnerability is found and reported. Vulnerabilities are given a numeric risk factor, and more risk makes it even more dangerous to delay patches. CVEs with published proof of concept (PoC) scripts are also dangerous because the PoC can be used to exploit the vulnerability immediately.
Focus on the Importance of Email Security and Email Filtering
Many of today's malware injections and network compromises start with a malicious email. Researchers into the Barracuda compromise admit that the attack was from a highly skilled group of cyber-criminals. Still, the rumors that it's a state-sponsored attack stemming from China have been unfounded. Attacks at this scale are usually from organized cyber-crime rings looking for a mass amount of private information, intellectual property, and sensitive corporate and government data. Organized hacker rings typically consist of individuals across multiple countries.
Although the Barracuda ESG appliances are meant to protect corporations from specific threats, more than one source of failure is not advisable. Having a system in place to directly address phishing adds protection to employee inboxes when another source fails. Protection solutions, including SpamTitan Plus, analyze incoming emails for any potential malware and block it from reaching the intended recipient.
Saltwater, SeaSide, and SeaSpy aren't the only exploits on cybersecurity systems that start with a malicious email, and they certainly won't be the last. Email protection against phishing and malicious attachments is necessary to defend against these threats. Adding phishing and spam protection to your environment requires a product that explicitly identifies these malicious messages, preferably using artificial intelligence so that the environment is better protected against zero-day threats and sophisticated bypasses built to avoid detection.
Cybersecurity should be done in layers, and one layer is email protection. Other solutions, including Barracuda, add layers, but any solution should never be the only one used to defend against a specific threat. TitanHQ has several solutions that protect against email-based threats and stop sophisticated ones like SeaSide and SeaSpy. Check out our solutions or start a free trial today.
Discover the best Barracuda Security Solution Alternative for your organization.